3. Develop a consent management strategy with an eye towards the consumer experience.

4. Determine how you will authenticate user identity to address data subject requests.

5. Identify and capitalise on existing processes to help respond to data subject requests.

My business is headquartered outside of Europe, does GDPR apply to us?

Potentially. If you market products or services to individuals in the EU and you collect personal data, then GDPR may affect your business. GDPR is not only applicable to companies based in Europe. GDPR could apply to any company, even those located outside of Europe, if it offers goods and services or markets to individuals in the EU.

What is the role of Adobe as a data processor?

As a data processor, Adobe provides software and services to an enterprise, like yours, for the personal data you ask us to process and store. We only process personal data in accordance with your company’s instructions as set out in your agreement with us. If your consumers’ data is in an Adobe solution and you need our assistance with any individual consumer requests, we will partner with you through processes, products, services and tools to help you to respond.

Do marketers need to get all new consents for their marketing database?

GDPR changes how brands obtain consent and may require some consents to be refreshed or updated. For instance, if a brand’s current consent practices meet or exceed the obligations outlined by GDPR then no changes to consent may be needed. However, if a brand’s consent practices fall short of the enhanced obligations, then those consents should be reevaluated and modernised.

What is my role as a data controller?

As the data controller, you determine the personal data that Adobe processes and shops on your behalf. If you use Adobe Cloud solutions, we may process personal data for you depending on the products and solutions you use and the information you choose to send to your Adobe account or service. As a data controller, you will provide privacy notices to individuals who engage with your brands detailing how you collect and use information and obtain consents, if needed. If at some point during the consumer lifecycle those individuals want to know what data you maintain about them or decide they want to discontinue their relationship with you, you will need to have mechanisms in place to respond to those requests.

How should data controllers think about consent when it comes to user engagement?

The consent management space (e.g., tools, standards, best practices) is evolving and is an area to watch. To minimise impact on user engagement, controllers should work with vendors in this space and with their counsel and follow emerging EU laws and guidance on consent and cookies. Thinking about “experiential privacy” by using an on-brand, contextually relevant, cookie-notice experience that sets out the value proposition of your data collection activities is a good strategy.

Does GDPR dictate that data must stay in Europe?

No. GDPR requires that the privacy protections afforded to European data flow with it wherever is transferred or accessed. Visit the Adobe Privacy centre to learn more about how Adobe addresses data transfers when you use Adobe Cloud Solutions.

Do marketers need consent for everything?

Marketers don’t necessarily need consent for everything and this will depend on the nature of the data collection practices. There is some scope to rely on other bases for processing, like legitimate interest, for certain marketing activities. Companies should work with their counsel to explore the best approach to support their marketing initiatives.

Get the details of our GDPR updates.

Find out how our latest product updates can help you to meet EU privacy obligations.